subject:"RE\: \[DISCUSS\] New VPN implementation based on IKEv2 backed by Vault"

Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault

2018-04-10 Thread Rohit Yadav

on upgrades? - Rohit <https://cloudstack.apache.org> From: Khosrow Moossavi <kmooss...@cloudops.com> Sent: Thursday, April 5, 2018 3:15:07 AM To: dev Subject: Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault Thanks Ilya for the feedba

Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault

2018-04-04 Thread Khosrow Moossavi

> > > > > > > Kind regards, > > > > > > > > Paul Angus > > > > > > > > paul.an...@shapeblue.com > > > > www.shapeblue.com > > > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK > > > > @shapeblue > > &g

Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault

2018-04-04 Thread Rafael Weingärtner

CA. > > > > > > > > > > > > > > > Kind regards, > > > > > > Paul Angus > > > > > > paul.an...@shapeblue.com > > > www.shapeblue.com > > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK >

Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault

2018-04-04 Thread ilya musayev

age- > > From: Rafael Weingärtner <rafaelweingart...@gmail.com> > > Sent: 04 April 2018 16:51 > > To: dev <dev@cloudstack.apache.org> > > Subject: Re: [DISCUSS] New VPN implementation based on IKEv2 backed by > > Vault > > > > Thanks for sh

Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault

2018-04-04 Thread Khosrow Moossavi

ndos Place, Covent Garden, London WC2N 4HSUK > @shapeblue > > > > > -Original Message- > From: Rafael Weingärtner <rafaelweingart...@gmail.com> > Sent: 04 April 2018 16:51 > To: dev <dev@cloudstack.apache.org> > Subject: Re: [DISCUSS] New VPN implementation

RE: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault

2018-04-04 Thread Paul Angus

-Original Message- From: Rafael Weingärtner <rafaelweingart...@gmail.com> Sent: 04 April 2018 16:51 To: dev <dev@cloudstack.apache.org> Subject: Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault Thanks for sharing the details. Now I have a better

Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault

2018-04-04 Thread Rafael Weingärtner

Thanks for sharing the details. Now I have a better perspective of the proposal.It is an interesting integration of CloudStack VPN service with Vault PKI feature. On Wed, Apr 4, 2018 at 12:38 PM, Khosrow Moossavi wrote: > One of the things Vault does is essentially one

Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault

2018-04-04 Thread Khosrow Moossavi

One of the things Vault does is essentially one of the thing Let's Encrypt does, acting as CA and generating/signing certificates. >From the Vault website itself: "HashiCorp Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in

Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault

2018-04-04 Thread Rafael Weingärtner

Got it. Thanks for the explanations. There is one other thing I do not understand. This Vault thing that you mention, how does it work? Is it similar to let's encrypt? On Wed, Apr 4, 2018 at 12:15 PM, Khosrow Moossavi wrote: > On Wed, Apr 4, 2018 at 10:36 AM, Rafael

Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault

2018-04-04 Thread Khosrow Moossavi

On Wed, Apr 4, 2018 at 10:36 AM, Rafael Weingärtner < rafaelweingart...@gmail.com> wrote: > So, you need a certificate that is signed by the CA that is used by the VPN > service. Is that it? > > Correct, a self signed "server certificate" against CA, to be installed directly on VR. > > It has

Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault

2018-04-04 Thread Rafael Weingärtner

So, you need a certificate that is signed by the CA that is used by the VPN service. Is that it? It has been a while that I do not configure these VPN systems; do you need access to the private key of the CA? Or, does the program simply validate the user (VPN client) certificate to see if it is

Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault

2018-04-04 Thread Khosrow Moossavi

Rafael, We cannot use SshKeyPair functionality because the proposed VPN implementation does need a signed certificate and not a ssh key pair. The process is as follow: 1) generate root CA (if doesn't exist) 2) generate bunch of intermediate steps (config urls, CRLs, role name, ...) [I'm not

Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault

2018-04-04 Thread Rafael Weingärtner

Khosrow thanks for the interesting feature. You mention two possible methods to manage certificates; one using the CA framework, and other using third party such as Vault and Let’s Encrypt. Have you considered using the sshKeyPair API methods (is it part of the CA framework?)? I mean, users

Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault

Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault

Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault

Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault

Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault

RE: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault

Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault

Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault

Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault

Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault

Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault

Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault

Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault

13 matches

Site Navigation

Mail list logo

Footer information